Upgrade to remove ads
Only $35.99/year

CIA- Part 1

Terms in this set (91)

Internal Auditing
An independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
How does IA help an organization accomplish its objectives?
By bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
What is the purpose of the "Standards"? (4)
1. Delineate basic principles that represent the practice of internal auditing.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.
Attribute Standards (1000s)
Govern the responsibilities, attitudes, and actions of the organization's internal audit activity and the people who serve as internal auditors.
Performance Standards (2000s)
Govern the nature of internal auditing and provide quality criteria for evaluating the internal audit function's performance.
Implementation Standards
Expand upon the individual Attribute or Performance Standards that apply to all IA engagements. Each standard describes the requirements of either assurance or consulting engagement.
What are the 3 strongly recommended elements of International Professional Practices Framework (IPPF)?
Position Papers, Practice Advisories, Practice Guides
Authority of Internal Audit
Through a final audit charter, IA has the access to all records, personnel, and physical properties relevant to the performance of every engagement.
What is the primary purpose of the Code of Ethics?
To promote an ethical culture among professionals who serve others.
What are some functions (3) of a code of ethical conduct for a professional organization to include?
1. Communicating acceptable values to all members.
2. Establish objective standards against which individuals can measure their own performance
3. Communicating the organization's value to outsiders.
A code of ethical conduct can help
1. Reduce the likelihood of members being sued for substandard work (based on the wording)
2. Help establish minimum standards of competence, but it is impossible to require equality of competence by all members of a profession
To be effective, a code of conduct must:
Provide for disciplinary actions for violators
The core principles of The IIA's Code of Ethics:
1. Integrity
2. Objectivity
3. Confidentiality
4. Competency
Integrity
A refusal to compromise professional values for personal gain. Another aspect is performance of professional duties in accordance with relevant laws.
Objectivity
A commitment to providing stakeholders with unbiased information. Another aspect is a commitment to independence from conflicts of economic or professional interest.
Confidentiality
A refusal to use organizational information for private gain.
Competency
A commitment to acquiring and maintaining an appropriate level of knowledge and skill.
The Institute's Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components:
1. Principles that are relevant to the profession and practice of internal auditing.
2. Rules of Conduct that describe behavior norms expected of internal auditors.
Rules of Conduct- Integrity (1)
Internal Auditors:
1. Shall perform their work with honesty, diligence, and responsibility.
2. Shall observe the law and make disclosures expected by the law and the profession.
3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of IA or the organization.
4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
Rules of Conduct- Objectivity (2)
Internal Auditors:
1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment.
2. Shall not accept anything that may impair or be presumed to impair their professional judgement.
3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
Rules of Conduct- Confidentiality (3)
Internal Auditors:
1. Shall be prudent in the use and protection of information acquired in the course of their duties.
2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
Rules of Conduct- Competency (4)
Internal Auditors:
1. Shall engage only in those services for which they have the necessary knowledge, skills and experience.
2. Shall perform internal audit services in accordance with the International Standards for the the Professional Practice of Internal Auditing ('Standards').
3. Shall continually improve their proficiency and the effectiveness and quality of their services.
Internal Audit Charter
A formal document that defines the internal audit activity's purpose, authority and responsibility. It establishes the IA activity's position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance engagements, and defines the scope of IA activities.
Who has the final approval of the internal audit charter?
The Board (management is also included during CAEs review/communication of charter).
What is the Chief Audit Executive's (CAE) responsible for in regards to the IA charter?
Periodically assess whether the IA's purpose, authority and responsibility, as defined in the charter is adequate to accomplish its objectives. The CAE is also responsible for communicating the result of this assessment to senior management and the board.
What three attributes should be included in the IA Charter?
The mandatory nature of the:
1. Definition of Internal Auditing
2. The Code of Ethics
3. The Standards

The CAE should also discuss these with sr. mgmt and the board.
Chief Audit Executive
Describes a person in a senior position with appropriate certifications/ qualifications responsible for effectively managing the IA activity in accordance with the IA charter and the Definition of Internal Auditing, The Code of Ethics, and the Standards.
The Board
The highest level of governing body charged with the responsibility to direct or oversee the activities and management of the organization. Typically this body is an independent group of directors (ie. a BOD, a supervisory board, or board of governors or trustees).
The CAE meets with the members of the internal audit activity at scheduled staff meetings. What would be appropriate function of the staff meeting?
Time spent explaining administrative policies and obtaining suggestions from the staff.
Independence (Attribute Standard 1100)
The freedom from conditions that threaten the ability of the IA activity to carry out responsibilities in an unbiased manner.
Dual Reporting
Separates functional reporting and administrative reporting.
Organizational Independence (Attribute Standard 1110)
The CAE must report to a level within the organization that allows the IA activity to fulfill its responsibilities.
How often does the CAE have to confirm organizational independence of IA activity to the board?
On an annual basis (at least)
How does the CAE report to the Board?
Functionally
Examples of CAE functional reporting to the Board:
1. Approving the IA audit charter
2. Approving the risk based IA plan
3. Approve the IA budget and resource plan
4. Receiving communications from the CAE on the IA's activity's performance relative to its plan
5. Approving the appointment and removal of the CAE
6. Approving the remuneration of the CAE
7. Making appropriate inquiries of mgmt and CAE to determine whether there are inappropriate score or resource limitations.
How does the CAE report to the CEO (and or Sr. Mgmt)?
Administratively
Individual Objectivity (Attribute Standard 1120)
IAs must have an impartial, unbiased attitude and avoid any conflict of interest.
Staff Assignments- Objectivity
CAE organizes staff assignments to prevent potential/actual conflict of interest and bias. This is done by periodically obtaining information from the IA staff concerning potential conflict of interest and bias, and when practicable, rotating internal audit staff assignment periodically.
When is an internal auditors objectivity not adversely affected?
When the auditor RECOMMENDS standards of control for systems or REVIEWS procedures before they are implemented.
When is an internal auditors objectivity adversely affected?
If the auditor designs, installs, drafts procedures for, or operates such systems.
Who must establish policies and procedures to assess the objectivity of individual internal auditors?
The CAE. These can take the form of periodic reviews of conflicts of interest or as-needed assessments during the staffing requirements phase of each engagement.
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to........?
The appropriate parties.
Scope Limitation
A restriction placed on the internal audit activity that precludes the activity from accomplishing its objectives and plans.
What types of activities could a scope limitation restrict?
a) Scope defined in the IA charter
b) IA's activity's access to records, personnel, and physical properties relevant to the performance of engagements.
c) Approved engagement work schedule
d) Performance of necessary engagement procedures
e) Approved staffing plans and financial budget
Administrative Reporting
The reporting relationship within the organization's management structure that facilitates the day-to-day operations of the internal audit activity.
Administrative Reporting typically includes:
1. Budgeting and management accounting
2. Human resource administration, including personnel evaluations and compensation
3. Internal communications and information flows
4. Administration of the internal audit activity's policies and procedures
How long does an internal auditor have to wait to assess activities they were previously responsible for in another position?
At least one year; otherwise the internal auditor will be impairing their objectivity.
Proficiency
The knowledge, skills, and other competencies needed to fulfill internal audit responsibilities.
Due Professional Care
The care and skill expected of a reasonably prudent and competent internal auditor.
Proficiency and due professional care are the responsibility of who?
The CAE and each internal auditor
All internal auditors must have proficiency in applying:
1. Internal audit standards, procedures, and techniques in performing engagements
2. Accounting principles and techniques if internal auditors work extensively with financial records and reports
The internal auditor must have knowledge of:
1. The indicators of fraud sufficient to identify them
2. Key information technology risks and controls and available technology-based audit techniques
What are the four components (levels) of Auditor proficiency?
1. Proficiency
2. Knowledge
3. Understanding
4. Appreciation
Understanding
The ability to apply broad knowledge to situations like to be encountered, to recognize significant deviations, and to research reasonable solutions.
Appreciation
The ability to recognize the existence of problems of potential problems and to identify the additional research to be undertaken or the assistance to be obtained.
Internal Audit Resources
The CAE must ensure the IA activity is able to fulfill its responsibilities by making sure the current staff is sufficient.
The CAE should conducts skill assessments at least annually to evaluate the following areas:
1. Interpersonal skills
2. Tools and techniques
3. Internal audit standards, theory, and methodology
4. Knowledge areas
When are staff performance appraisals completed and how do they help the CAE?
They are completed at the end of any major internal audit engagement and help the CAE assess future training needs and current staff abilities.
If the IA staff is not able to fulfill internal audit responsibilities, what should be considered?
External service providers.
How much of internal audit activity can be outsourced?
An organization may outsource, none, all, or some of the functions. However, oversight of and responsibility of the IA activity must NOT be outsourced.
Cosourcing
Is performance by internal audit staff of joint engagements with external service providers
Exercising due professional care involves internal auditors being alert to:
The possibility of fraud, intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, conflicts of interest, and conditions/activities where irregularities are most likely to occur.
Quality Assurance and Improvement Program
Covers the entire spectrum of assurance and consulting work performed by the internal audit activity as prescribed in the IA charter.
What kind of assessments occur in the QAIP?
Internal assessments: ongoing monitoring and periodic assessments
External assessments: may take form of a full external assessment or a self-assessment with independent validation.
What is the primary objective of QIAP?
To promote continuous improvement and presumes that quality is built into the structure of the IA activity.
QAIPs include an evaluation of:
1. Conformance with the Definition of IA, the Code of Ethics, and the Standards, including timely corrective actions to remedy any significant instances of nonconformance
2. Adequacy of the IA activity's charter, goals, objectives, policies and procedures
3. Contribution to the org. governance, risk management, and control processes
4. Compliance with applicable law, regulations, and government or industry standards
5. Effectiveness of continuous improvement activities and adoption of best practices
6. The extent to which the IA activity adds value and improves the organizations operations
Reporting on QAIP
The CAE must communicate the results of the quality assurance and improvement program to senior management and the board.
Internal Assessments
Ongoing monitoring determines whether processes are delivering quality on an engagement-by-engagement basis. Ongoing monitoring is primarily achieved through:
1. Standard working practices
2. Engagement planning
3. Supervision
4. Assessing the audit engagement action plan prior to fieldwork
5. Using checklists or automation tools to provide assurance on compliance with established practices and procedures
6. Working paper procedures and signoff by engagement supervisors
7. Review of reports and supporting documentation for comments
8. Feedback from internal audit clients and other stakeholders
9. Using performance measure appropriate and relevant to the IA activity
What is the most fundamental element of the quality assurance process?
Adequate supervision. It begins with planning and continues throughout the performance and communication phases of the engagement. Improvement opportunities can be addressed continuously.
How often should the CAE report the results of internal assessments, necessary action plans, and their successful implementation to Sr. Mgmt and the board?
At least annually.
External Assessments
Must be conducted at least once every FIVE years by a qualified, independent, assessor, or assessment team from outside the organization. The CAE must discuss with the board:
- The form and frequency of external assessments;
- The qualifications and independence of the external assessor/assessment, including any potential conflict of interest.
Internal Control is
1. Intended to achieve objectives relating to operations, reporting and compliance
2. An ongoing process
3. Effected by people at all organizational levels (i.e the board, mgmt, and all other employees)
4. Able to provide reasonable, but not absolute, assurance
5. Adaptable to an entity's structure
Operations (Control Objectives)
Relate to achieving the entity's mission and safeguarding of assets.

This includes: improving financial performance, productivity, quality, innovation and customer satisfaction. AND avoiding waste, inefficiency, and bad business decisions.
Reporting (Control Objectives)
To make sound decisions, stakeholders must have reliable, timely and transparent financial information. Reports may be prepared for use by the organization and stakeholders.
Compliance (Control Objective)
Entities are subject to laws, rules, and regulations that set minimum standards of conduct (i.e taxation, environmental protection, and employee relations).
The internal control systems is more likely to provide reasonable assurance for which control objectives?
Reporting and Compliance (not operational).
What are the five COSO components of internal control?
Control Activities
Risk Assessment
Information and Communication
Monitoring
Control Environment

They stop CRIME.
Control Environment
A set of standards, processes, and structures that pervasively affects the system of internal control.
The organization demonstrates a commitment to integrity and ethical values by (4):
1. Setting the tone at the top
2. Establishing standards of conduct
3. Evaluating the performance of individuals and teams based on the established standards of conduct
4. Correcting deviations in a timely and consistent manner
The board demonstrates independence from management and exercises oversight for internal control. The board (4):
1. Establishes oversight responsibilities.
2. Applies relevant experience by defining, maintaining, and periodically evaluating skills and expertise needed among its members to ask difficult questions of management and take appropriate actions
3. Operates independently
4. Provides oversights (of mgmts design, implementation, conduct of internal control).
Risk Assessment Process
Encompasses an assessment of the risks and the need to manage organizational change. It is a basis of how the risks should be managed.
What must the organization consider while assessing fraud risks?
1. Consider the various types of fraud
2. Assess incentives and pressures
3. Assess opportunities
4. Assess attitudes and rationalizations
CoCo Framework
Formally known as Guidance on Control. It was published in 1995 by the Canadian Institute of Chartered Accountants. It is thought to be suited for internal auditing purposes. It consists of 20 criteria grouped into 4 components: Purpose, Commitment, Capability, Monitoring and Learning
The Turnbull Report
Formally known as Internal Control: Guidance for Directors on the Combined Code (UK).
COBIT
It is the best known control and governance framework specifically for IT controls. Ci
eSAC
An alternative control model for IT. Known formally as Electronic Systems Assurance and Control.
Control
Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Control Processes
The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure risks are contained within the level that an organization is willing to accept.
What five steps does the control process include:
1. Establishing standards for the operation to be controlled
2. Measuring performance against the standards
3. Examining and analyzing deviations
4. Taking corrective action
5. Reappraising the standards based on experience
Transaction Trails (Characteristics of Automated Processing)
The nature of the trail is often dependent on the transaction processing mode. For example, transactions may be batched prior to processing or processed immediately as they happen.
Uniform Processing of Transactions (Characteristics of Automated Processing)
...
Sets with similar terms